在两个 rails4 应用程序之间共享会话 [英] Share session between two rails4 applications

问题描述

I am creating a application with devise. there is two domain name 1) www.test.com and 2) www.hello.com both domain pointing to same application. so I want to share session(current_user) between both app. user will login on (1) and it should access on domain(2).

Please suggest what's the best way todo it.

解决方案

The basic issue here is the way in which cookies work (which of course sessions depend on). A cookie has a domain attribute and browsers only send cookies whose domain match the request host (there's a little bit of subtlety of the meaning of a period at the start of the domain)

Furthermore, when setting a cookie, browsers will only accept a domain that is a parent domain of the current domain and which is not a public domain). For example if you are receiving a response from www.example.com it can set cookies for www.example.com or example.com, but not .com (Browsers have a list of which domain names shouldn't be allowed).

All this to say that if your two apps don't share a common parent (as it is in your case) then you can't share cookies and thus you can't share a rails session.

There are many ways to deal with this, a simple one is known as CAS (Central Authentication Service) protocol. The basic flow with this is

1. User goes to hello.com and tries to access some protected resource (e.g. /home
2. User is redirected to sso.example.com/service?=http://hello.com/home
3. The user's identity is verified here as usual: the user either logs in, is recognised from a cookie etc.
4. The sso service generates a ticket (an arbitary token) and redirects the user to `http://hello.com/home?ticket=ABC123
5. The application at hello.com makes a (server side) request back to the SSO server, passing the ticket
6. The SSO server responds indicating whether the ticket is valid. If the ticket is valid it will also include some information about the user (e.g. email)
7. hello.com sets a session cookie so that subsequent requests can skip steps 2-6

There are ruby implementations of cas (e.g. rubycas which has both a cas client and server) and devise strategies that use CAS. There are of course other ways you can do this, for example using oath, but CAS is somewhat simpler.

这篇关于在两个 rails4 应用程序之间共享会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！